User authentication systems play an important security role in data protection, as sensitive data is increasingly stored behind electronic authentication walls. Mobile devices, computers, and secure rooms may all be protected by various types of authentication. Many mobile devices may authenticate users using a one-time password as part of a multi-factored approach, for example. The one-time passwords are often short numbers generated securely and sent to a user via text message or email for entry into a web form. The entry of the correct number verifies possession of the registered mobile device and the user is then validated.
Typical one-time passwords have limitations ranging from user inconveniences to high-risk vulnerabilities that have been exposed in the past. Users may enter the one-time password manually into a web form or application to verify receipt, a process subject to the inconvenience of typographical errors. Similarly, users that do not regularly delete earlier one-time passwords may select an incorrect one-time password for entry. One-time passwords are also relatively short in many cases (e.g., four to six digits). Short one-time passwords may pose security risks as the number may be more easily guessed. Additionally, one-time passwords may be subject to attacks by stingray or malware that can enable attackers to retrieve the one-time password from the user device before the user knows the key is present. Traditional one-time passwords may also be vulnerable to man-in-the-middle (MIM) attacks where an attacker intercepts the one-time password and changes parameters of the interaction before forwarding the altered payload along with the one-time password. OTP sent via text message also may not include a source identifier, as the OTP is sent without a return phone number, a provider name, a url, or other indicator of where the OTP came from.